The Internet of Things - a concept where regular, household devices are interconnected and exchange data - is not a sci-fi feature, but rather a feature that is increasingly present in our day-to-day life. From the network-aware lighting systems to parking meters or health monitoring bracelets, the Internet of things is making communication and data sharing easier, but also opens new devices to cyber-criminals.

What devices are at risk?

The Internet of Things is comprised of a variety of devices that have specialised tasks but are also able to connect to the Internet for additional features. Such devices range from the new set top boxes that are able to deliver pay-per-view content, pet food and water dispensers (controlled remotely), smart TVs, fitness bracelets that keep tabs on exercise or diet, Google's latest acquisition, the NEST climate control and even next-generation fridges that update the owner's shopping list as it runs out of food and drinks.

Most of these devices run a customised operating system, are network-aware and can be taught new tricks by simply installing plugins or via firmware updates. Since they are neither computers nor consumer electronics (but rather hybrids of the two), they have been developed with little to no security in mind. Mobile devices such as the above-mentioned fitness bracelets have been designed with miniaturisation and battery performance in mind, which means that security aspects associated with a network-aware device are often overlooked.

Room with a view? Rather a view of the room.

Smart TVs and kitchen appliances are not the only things that one can hook up to the Internet. Millions of other devices, such as baby monitors or IP-based surveillance cameras are also a big chunk of the Internet of Things. This was the case with the TrendNet family of IP surveillance cameras back in 2012, which let anybody on the Internet see in real time what was happening in your shop, shed or living room. Now imagine that nearly every smart TV has a camera and microphone attached to it which might be turned on remotely.

Who would like to hack into my fridge?

Even though the number of Internet-aware devices is ridiculously high, cyber-criminals have often overlooked them because of either security challenges or difficulty connecting. Since most of these devices run a custom distribution of Linux, the only way to compromise them is to randomly ping devices on the Internet, attempt to brute-force their SSH credentials - often set to admin or root, and then download a customised virus written for the MIPS or ARM platforms. This is how anonymous researchers who carried the latest Internet Census managed to create the Carna botnet during the 2012 Internet Census. Mobile devices that connect via 3G are more difficult to contact because their connection is often proxied by the carrier - they do not have an IP per connection, but rather share the same IP with many other 3G devices.

Regardless of how the compromise takes place, the Internet of things has an extremely destructive potential. Of course, depending on their hardware and Internet connection configuration, they can be used for a variety of tasks, from storing information to sending spam, but their malicious potential is truly remarkable for DDoS attacks.

At the moment, there are about one billion "things" connected to the Internet, according to Gartner with all of them able to at least perform a simple DNS lookup. This is more than enough material for cyber-crime.

How can a smart fridge knock you off the Internet?

By default, all Internet-enabled devices can resolve domain names to IP addresses. This feature is called DNS resolution and is performed by interrogating DNS servers, starting with the one in your router, the ones set in place by your ISP and ultimately getting to the authoritative DNS server for the specific Top Level Domain. Because the DNS system needs to be extremely fast in order to minimise delays, the requests are sent via UDP, a protocol that does not validate the identity of the server. An attacker can use your fridge, for instance, to perform an extended DNS request and make it look as if a third party (i.e. your company's server) has requested the information. The amount of DNS data - multiplied by a factor - is then delivered to the victim: the more rogue requests on the behalf of the victim, the greater the impact. This was the case of the attack against Spamhaus in March 2013 which peaked at roughly 300 Gbps.

Where is this going?

The Internet of things is growing at a tremendous pace as intelligent consumer electronics are carving their way into people's homes. In less than 6 years, the Internet of Things will reach 50 billion devices, according to a Cisco study. But the IoT penetration is not only limited to numbers, it is also starting to control more and more aspects of our daily lives, starting from ambient lighting to temperature control or physical security. And even if we don't expect these "things" to turn rogue and wreak havoc among their owners, chances are that somebody, somewhere is using them to attack others.

Bogdan Botezatu is Senior E-Threat Analyst, Bitdefender.

Actions

Share

Comments (1)

Mark Andrews :

04 Sep 2014 12:23:01am

The only way a fridge can send a spoofed packet that get delivered is if the ISP fails to perform proper source address filtering (see BCP38) of traffic from the customer. In addition most NAT boxes will set the source address of the spoofed packet to the public address of the NAT box causing the responses to be sent back to the customer rather than the intended victim.

This does mean that the fridge doesn't need to be secured against attacks. It does. Just that this particular attack is unlikely to work from the fridge. There are lots of other attacks that could be performed if the fridge is compromised.

Also note that a NAT or a firewall is not a panacea. They only protect against direct external attacks. Most attacks these days are launched from compromised web browsers inside the firewall.

How Does this Site Work?

This site is where you will find ABC stories, interviews and videos on the subject of Technology and Games. As you browse through the site, the links you follow will take you to stories as they appeared in their original context, whether from ABC News, a TV program or a radio interview. Please enjoy.